SUSE-CU-2021:238-1: Security update of ses/6/rook/ceph

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Thu Jun 3 06:08:00 UTC 2021


SUSE Container Update Advisory: ses/6/rook/ceph
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2021:238-1
Container Tags        : ses/6/rook/ceph:1.1.1.0 , ses/6/rook/ceph:1.1.1.0.1.5.424 , ses/6/rook/ceph:latest
Container Release     : 1.5.424
Severity              : important
Type                  : security
References            : 1050625 1078466 1080040 1083473 1112500 1115408 1125671 1140565
                        1141597 1145463 1146705 1154393 1160876 1165780 1165780 1167939
                        1171549 1171998 1172442 1174016 1174436 1174466 1174514 1175289
                        1175458 1175519 1176201 1176262 1176784 1176785 1177200 1177238
                        1177275 1177427 1177460 1177460 1177490 1177533 1177583 1177976
                        1178016 1178168 1178216 1178219 1178235 1178386 1178407 1178657
                        1178775 1178775 1178837 1178860 1178905 1178909 1178910 1178966
                        1179083 1179222 1179326 1179363 1179503 1179691 1179691 1179694
                        1179721 1179738 1179756 1179816 1179824 1179847 1179909 1179997
                        1180020 1180038 1180073 1180077 1180083 1180118 1180225 1180594
                        1180596 1180603 1180603 1180603 1180663 1180684 1180685 1180686
                        1180687 1180721 1180851 1180885 1181011 1181090 1181126 1181183
                        1181328 1181358 1181378 1181443 1181505 1181540 1181618 1181622
                        1181651 1181665 1181831 1181874 1181976 1182053 1182117 1182279
                        1182328 1182331 1182333 1182362 1182379 1182408 1182411 1182412
                        1182413 1182415 1182416 1182417 1182418 1182419 1182420 1182471
                        1182629 1182791 1182936 1183012 1183064 1183074 1183094 1183194
                        1183370 1183371 1183374 1183456 1183457 1183487 1183600 1183628
                        1183791 1183797 1183933 1183936 1183942 1184136 1184358 1184401
                        1184435 1184507 1184614 1184690 1184997 1185163 1185170 1185239
                        1185408 1185408 1185409 1185409 1185410 1185410 1185417 1185438
                        1185562 1185619 1185698 1186020 1186021 1186114 CVE-2017-9271
                        CVE-2019-20916 CVE-2019-25013 CVE-2020-11078 CVE-2020-11080 CVE-2020-14343
                        CVE-2020-25659 CVE-2020-25678 CVE-2020-25709 CVE-2020-25710 CVE-2020-27618
                        CVE-2020-27839 CVE-2020-29562 CVE-2020-29573 CVE-2020-36221 CVE-2020-36222
                        CVE-2020-36223 CVE-2020-36224 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227
                        CVE-2020-36228 CVE-2020-36229 CVE-2020-36230 CVE-2021-20231 CVE-2021-20232
                        CVE-2021-20288 CVE-2021-20305 CVE-2021-21240 CVE-2021-22876 CVE-2021-22898
                        CVE-2021-23239 CVE-2021-23240 CVE-2021-23336 CVE-2021-23840 CVE-2021-23841
                        CVE-2021-23981 CVE-2021-23982 CVE-2021-23984 CVE-2021-23987 CVE-2021-24031
                        CVE-2021-24032 CVE-2021-27212 CVE-2021-27218 CVE-2021-27219 CVE-2021-3156
                        CVE-2021-3156 CVE-2021-3177 CVE-2021-3326 CVE-2021-3426 CVE-2021-3509
                        CVE-2021-3516 CVE-2021-3516 CVE-2021-3517 CVE-2021-3517 CVE-2021-3518
                        CVE-2021-3518 CVE-2021-3520 CVE-2021-3524 CVE-2021-3531 CVE-2021-3537
-----------------------------------------------------------------

The container ses/6/rook/ceph was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:79-1
Released:    Tue Jan 12 10:49:34 2021
Summary:     Recommended update for gcc7
Type:        recommended
Severity:    moderate
References:  1167939
This update for gcc7 fixes the following issues:

- Amend the gcc7 aarch64 atomics for glibc namespace violation with getauxval.  [bsc#1167939]

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:129-1
Released:    Thu Jan 14 12:26:15 2021
Summary:     Security update for openldap2
Type:        security
Severity:    moderate
References:  1178909,1179503,CVE-2020-25709,CVE-2020-25710
This update for openldap2 fixes the following issues:

Security issues fixed:

- CVE-2020-25709: Fixed a crash caused by specially crafted network traffic (bsc#1178909).
- CVE-2020-25710: Fixed a crash caused by specially crafted network traffic (bsc#1178909).

Non-security issue fixed:

- Retry binds in the LDAP backend when the remote LDAP server disconnected the (idle) LDAP connection. (bsc#1179503)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:179-1
Released:    Wed Jan 20 13:38:51 2021
Summary:     Recommended update for timezone
Type:        recommended
Severity:    moderate
References:  1177460
This update for timezone fixes the following issues:

- timezone update 2020f (bsc#1177460)
  * 'make rearguard_tarballs' no longer generates a bad rearguard.zi,
    fixing a 2020e bug.

- timezone update 2020e (bsc#1177460)
  * Volgograd switches to Moscow time on 2020-12-27 at 02:00.

- timezone update 2020f (bsc#1177460)
  * 'make rearguard_tarballs' no longer generates a bad rearguard.zi,
    fixing a 2020e bug.

- timezone update 2020e (bsc#1177460)
  * Volgograd switches to Moscow time on 2020-12-27 at 02:00.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:220-1
Released:    Tue Jan 26 14:00:51 2021
Summary:     Recommended update for keyutils
Type:        recommended
Severity:    moderate
References:  1180603
This update for keyutils fixes the following issues:

- Adjust the library license to be LPGL-2.1+ only (the tools are GPL2+, the library is just LGPL-2.1+) (bsc#1180603)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:227-1
Released:    Tue Jan 26 19:22:14 2021
Summary:     Security update for sudo
Type:        security
Severity:    important
References:  1180684,1180685,1180687,1181090,CVE-2021-23239,CVE-2021-23240,CVE-2021-3156
This update for sudo fixes the following issues:

- A Heap-based buffer overflow in sudo could be exploited to allow a user to gain root privileges 
  [bsc#1181090,CVE-2021-3156]
- It was possible for a user to test for the existence of a directory due to a Race Condition in `sudoedit`
  [bsc#1180684,CVE-2021-23239]
- A Possible Symlink Attack vector existed in `sudoedit` if SELinux was running in permissive mode [bsc#1180685,
  CVE-2021-23240]
- It was possible for a User to enable Debug Settings not Intended for them [bsc#1180687]

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:233-1
Released:    Wed Jan 27 12:15:33 2021
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1141597,1174436,1175458,1177490,1179363,1179824,1180225
This update for systemd fixes the following issues:

- Added a timestamp to the output of the busctl monitor command (bsc#1180225)
- Fixed a NULL pointer dereference bug when attempting to close the journal file handle (bsc#1179824)
- Improved the caching of cgroups member mask (bsc#1175458)
- Fixed the dependency definition of sound.target (bsc#1179363)
- Fixed a bug that could lead to a potential error, when daemon-reload is called between
  StartTransientUnit and scope_start() (bsc#1174436)
- time-util: treat /etc/localtime missing as UTC (bsc#1141597)
- Removed mq-deadline selection from 60-io-scheduler.rules (bsc#1177490)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:265-1
Released:    Mon Feb  1 15:06:45 2021
Summary:     Recommended update for systemd
Type:        recommended
Severity:    important
References:  1178775,1180885
This update for systemd fixes the following issues:

- Fix for udev creating '/dev/disk/by-label' symlink for 'LUKS2' to avoid mount issues. (bsc#1180885, #8998))
- Fix for an issue when container start causes interference in other containers. (bsc#1178775)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:266-1
Released:    Mon Feb  1 21:02:37 2021
Summary:     Recommended update for lvm2
Type:        recommended
Severity:    moderate
References:  1177533,1179326,1179691,1179738
This update for lvm2 fixes the following issue:

- Fixes an issue when boot logical volume gets unmounted during patching. (bsc#1177533)
- Fix for lvm2 to use 'external_device_info_source='udev'' by default. (bsc#1179691)
- Fixed an issue in configuration for an item that is commented out by default. (bsc#1179738)
- Fixed an issue when after storage migration major performance issues occurred on the system. (bsc#1179326)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:293-1
Released:    Wed Feb  3 12:52:34 2021
Summary:     Recommended update for gmp
Type:        recommended
Severity:    moderate
References:  1180603
This update for gmp fixes the following issues:

- correct license statements of packages (library itself is no GPL-3.0) (bsc#1180603)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:301-1
Released:    Thu Feb  4 08:46:27 2021
Summary:     Recommended update for timezone
Type:        recommended
Severity:    moderate
References:  1177460
This update for timezone fixes the following issues:

- timezone update 2021a (bsc#1177460)
  * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00.

- timezone update 2021a (bsc#1177460)
  * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:304-1
Released:    Thu Feb  4 13:19:43 2021
Summary:     Recommended update for lvm2
Type:        recommended
Severity:    important
References:  1179691
This update for lvm2 fixes the following issues:

- lvm2 will no longer use external_device_info_source='udev' as default because it introduced a
  regression (bsc#1179691).

  If this behavior is still wanted, please change this manually in the lvm.conf

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:307-1
Released:    Fri Feb  5 05:30:34 2021
Summary:     Recommended update for libselinux
Type:        recommended
Severity:    low
References:  1180603
This update for libselinux fixes the following issues:

- Corrected the license to public domain (bsc#1180603)

-----------------------------------------------------------------
Advisory ID: SUSE-OU-2021:339-1
Released:    Mon Feb  8 13:16:07 2021
Summary:     Optional update for pam
Type:        optional
Severity:    low
References:  
This update for pam fixes the following issues:

- Added rpm macros for this package, so that other packages can make use of it

This patch is optional to be installed - it doesn't fix any bugs.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:529-1
Released:    Fri Feb 19 14:53:47 2021
Summary:     Security update for python3
Type:        security
Severity:    moderate
References:  1176262,1179756,1180686,1181126,CVE-2019-20916,CVE-2021-3177
This update for python3 fixes the following issues:

- CVE-2021-3177: Fixed buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution (bsc#1181126).
- Provide the newest setuptools wheel (bsc#1176262, CVE-2019-20916) in their correct form (bsc#1180686).

-----------------------------------------------------------------
Advisory ID: SUSE-OU-2021:580-1
Released:    Wed Feb 24 11:16:42 2021
Summary:     Optional update for python-cffi
Type:        optional
Severity:    low
References:  1182471
This update for python-cffi fixes the following issues:

- Restored compatibility with Python 2.7 update (bsc#1182471)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:596-1
Released:    Thu Feb 25 10:26:30 2021
Summary:     Recommended update for gcc7
Type:        recommended
Severity:    moderate
References:  1181618
This update for gcc7 fixes the following issues:

- Fixed webkit2gtk3 build (bsc#1181618)
- Change GCC exception licenses to SPDX format
- Remove include-fixed/pthread.h

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:653-1
Released:    Fri Feb 26 19:53:43 2021
Summary:     Security update for glibc
Type:        security
Severity:    important
References:  1178386,1179694,1179721,1180038,1181505,1182117,CVE-2019-25013,CVE-2020-27618,CVE-2020-29562,CVE-2020-29573,CVE-2021-3326
This update for glibc fixes the following issues:

- Fix buffer overrun in EUC-KR conversion module (CVE-2019-25013, bsc#1182117, BZ #24973)
- x86: Harden printf against non-normal long double values (CVE-2020-29573, bsc#1179721, BZ #26649)
- gconv: Fix assertion failure in ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256)
- iconv: Accept redundant shift sequences in IBM1364 (CVE-2020-27618, bsc#1178386, BZ #26224)
- iconv: Fix incorrect UCS4 inner loop bounds (CVE-2020-29562, bsc#1179694, BZ #26923)
- Fix parsing of /sys/devices/system/cpu/online (bsc#1180038, BZ #25859)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:723-1
Released:    Mon Mar  8 16:45:27 2021
Summary:     Security update for openldap2
Type:        security
Severity:    important
References:  1182279,1182408,1182411,1182412,1182413,1182415,1182416,1182417,1182418,1182419,1182420,CVE-2020-36221,CVE-2020-36222,CVE-2020-36223,CVE-2020-36224,CVE-2020-36225,CVE-2020-36226,CVE-2020-36227,CVE-2020-36228,CVE-2020-36229,CVE-2020-36230,CVE-2021-27212
This update for openldap2 fixes the following issues:

- bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the
  X.509 DN parsing in decode.c ber_next_element, resulting in denial
  of service.
- bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN
  parsing in ad_keystring, resulting in denial of service.
- bsc#1182412 CVE-2020-36228 - integer underflow leading to crash
  in the Certificate List Exact Assertion processing, resulting in
  denial of service.
- bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the
  cancel_extop Cancel operation, resulting in denial of service.
- bsc#1182416 CVE-2020-36225 - double free and slapd crash in the
  saslAuthzTo processing, resulting in denial of service.
- bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash
  in the saslAuthzTo processing, resulting in denial of service.
- bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd
  crash in the saslAuthzTo processing, resulting in denial of service.
- bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the
  saslAuthzTo validation, resulting in denial of service.
- bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact
  Assertion processing, resulting in denial of service (schema_init.c
  serialNumberAndIssuerCheck).
- bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter
  control handling, resulting in denial of service (double free and
  out-of-bounds read).
- bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur
    in the issuerAndThisUpdateCheck function via a crafted packet,
    resulting in a denial of service (daemon exit) via a short timestamp.
    This is related to schema_init.c and checkTime.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:753-1
Released:    Tue Mar  9 17:09:57 2021
Summary:     Security update for openssl-1_1
Type:        security
Severity:    moderate
References:  1182331,1182333,CVE-2021-23840,CVE-2021-23841
This update for openssl-1_1 fixes the following issues:

- CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333)
- CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:786-1
Released:    Mon Mar 15 11:19:23 2021
Summary:     Recommended update for zlib
Type:        recommended
Severity:    moderate
References:  1176201
This update for zlib fixes the following issues:

- Fixed hw compression on z15 (bsc#1176201)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:890-1
Released:    Fri Mar 19 15:51:41 2021
Summary:     Security update for glib2
Type:        security
Severity:    important
References:  1182328,1182362,CVE-2021-27218,CVE-2021-27219
This update for glib2 fixes the following issues:

- CVE-2021-27218: g_byte_array_new_take takes a gsize as length but stores in a guint, this patch will refuse if the length is larger than guint. (bsc#1182328)

- CVE-2021-27219: g_memdup takes a guint as parameter and sometimes leads into an integer overflow, so add a g_memdup2 function which uses gsize to replace it. (bsc#1182362)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:924-1
Released:    Tue Mar 23 10:00:49 2021
Summary:     Recommended update for filesystem
Type:        recommended
Severity:    moderate
References:  1078466,1146705,1175519,1178775,1180020,1180083,1180596,1181011,1181831,1183094
This update for filesystem the following issues:

- Remove duplicate line due to merge error
- Add fix for 'mesa' creating cache with perm 0700. (bsc#1181011) 
- Fixed an issue causing failure during installation/upgrade a failure. (rh#1548403) (bsc#1146705)
- Allows to override config to add cleanup options of '/var/tmp'. (bsc#1078466)
- Create config to cleanup '/tmp' regular required with 'tmpfs'. (bsc#1175519)

This update for systemd fixes the following issues:

- Fix for a possible memory leak. (bsc#1180020)
- Fix for a case when to a bind mounted directory results inactive mount units. (#7811) (bsc#1180596)
- Fixed an issue when starting a container conflicts with another one. (bsc#1178775)
- Drop most of the tmpfiles that deal with generic paths and avoid warnings. (bsc#1078466, bsc#1181831)
- Don't use shell redirections when calling a rpm macro. (bsc#1183094)
- 'systemd' requires 'aaa_base' >= 13.2. (bsc#1180083)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:926-1
Released:    Tue Mar 23 13:20:24 2021
Summary:     Recommended update for systemd-presets-common-SUSE
Type:        recommended
Severity:    moderate
References:  1083473,1112500,1115408,1165780,1183012
This update for systemd-presets-common-SUSE fixes the following issues:

- Add default user preset containing:
  - enable `pulseaudio.socket` (bsc#1083473)
  - enable `pipewire.socket` (bsc#1183012)
  - enable `pipewire-pulse.socket` (bsc#1183012)
  - enable `pipewire-media-session.service` (used with pipewire >= 0.3.23)
- Changes to the default preset:
  - enable `btrfsmaintenance-refresh.path`.
  - disable `btrfsmaintenance-refresh.service`.
  - enable `dnf-makecache.timer`.
  - enable `ignition-firstboot-complete.service`.
  - enable logwatch.timer and avoid to have logwatch out of sync with logrotate. (bsc#1112500)
  - enable `mlocate.timer`. Recent versions of mlocate don't use `updatedb.timer` any more. (bsc#1115408)
  - remove enable `updatedb.timer` 
- Avoid needless refresh on boot. (bsc#1165780)
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:931-1
Released:    Wed Mar 24 12:10:41 2021
Summary:     Security update for nghttp2
Type:        security
Severity:    important
References:  1172442,1181358,CVE-2020-11080
This update for nghttp2 fixes the following issues:

- CVE-2020-11080: HTTP/2 Large Settings Frame DoS (bsc#1181358)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:934-1
Released:    Wed Mar 24 12:18:21 2021
Summary:     Security update for gnutls
Type:        security
Severity:    important
References:  1183456,1183457,CVE-2021-20231,CVE-2021-20232
This update for gnutls fixes the following issues:

- CVE-2021-20232: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183456).
- CVE-2021-20231: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183457).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:947-1
Released:    Wed Mar 24 14:30:58 2021
Summary:     Security update for python3
Type:        security
Severity:    moderate
References:  1182379,CVE-2021-23336
This update for python3 fixes the following issues:

- python36 was updated to 3.6.13
- CVE-2021-23336: Fixed a potential web cache poisoning by using a semicolon in query parameters use of semicolon as a query string separator (bsc#1182379).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:948-1
Released:    Wed Mar 24 14:31:34 2021
Summary:     Security update for zstd
Type:        security
Severity:    moderate
References:  1183370,1183371,CVE-2021-24031,CVE-2021-24032
This update for zstd fixes the following issues:

- CVE-2021-24031: Added read permissions to files while being compressed or uncompressed (bsc#1183371).
- CVE-2021-24032: Fixed a race condition which could have allowed an attacker to access world-readable destination file (bsc#1183370).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:952-1
Released:    Thu Mar 25 14:36:56 2021
Summary:     Recommended update for libunwind
Type:        recommended
Severity:    moderate
References:  1160876,1171549
This update for libunwind fixes the following issues:

- Update to version 1.5.0. (jsc#ECO-3395)
- Enable s390x for building. (jsc#ECO-3395)
- Fix compilation with 'fno-common'. (bsc#1171549)
- Fix build with 'GCC-10'. (bsc#1160876)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:953-1
Released:    Thu Mar 25 14:37:26 2021
Summary:     Recommended update for psmisc
Type:        recommended
Severity:    moderate
References:  1178407
This update for psmisc fixes the following issues:

- Fix for 'fuser' when it does not show open kvm storage image files such as 'qcow2' files. (bsc#1178407)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:956-1
Released:    Thu Mar 25 19:19:04 2021
Summary:     Security update for libzypp, zypper
Type:        security
Severity:    moderate
References:  1050625,1174016,1177238,1177275,1177427,1177583,1178910,1178966,1179083,1179222,1179816,1179847,1179909,1180077,1180663,1180721,1181328,1181622,1182629,CVE-2017-9271
This update for libzypp, zypper fixes the following issues:

Update zypper to version 1.14.43:

- doc: give more details about creating versioned package locks
  (bsc#1181622)
- man: Document synonymously used patch categories (bsc#1179847)
- Fix source-download commands help (bsc#1180663)
- man: Recommend to use the --non-interactive global option rather than the command option -y (bsc#1179816)
- Extend apt packagemap (fixes #366)
- --quiet: Fix install summary to write nothing if there's nothing todo (bsc#1180077)
- Prefer /run over /var/run.

Update libzypp to 17.25.8:

- Try to provide a mounted /proc in --root installs (bsc#1181328)
  Some systemd tools require /proc to be mounted and fail if it's
  not there.
- Enable release packages to request a releaxed suse/opensuse
  vendorcheck in dup when migrating. (bsc#1182629)
- Patch: Identify well-known category names (bsc#1179847)
  This allows to use the RH and SUSE patch categrory names
  synonymously:
  (recommended = bugfix) and (optional = feature = enhancement).
- Add missing includes for GCC 11 compatibility.
- Fix %posttrans script execution (fixes #265)
  The scripts are execuable. No need to call them through 'sh -c'.
- Commit: Fix rpmdb compat symlink in case rpm got removed.
- Repo: Allow multiple baseurls specified on one line (fixes #285)
- Regex: Fix memory leak and undefined behavior.
- Add rpm buildrequires for test suite (fixes #279)
- Use rpmdb2solv new -D switch to tell the location ob the
  rpmdatabase to use.
- CVE-2017-9271: Fixed information leak in the log file (bsc#1050625 bsc#1177583)
- RepoManager: Force refresh if repo url has changed (bsc#1174016)
- RepoManager: Carefully tidy up the caches. Remove non-directory entries. (bsc#1178966)
- RepoInfo: ignore legacy type= in a .repo file and let RepoManager probe (bsc#1177427).
- RpmDb: If no database exists use the _dbpath configured in rpm.  Still makes sure a compat
  symlink at /var/lib/rpm exists in case the configures _dbpath is elsewhere. (bsc#1178910)
- Fixed update of gpg keys with elongated expire date (bsc#1179222)
- needreboot: remove udev from the list (bsc#1179083)
- Fix lsof monitoring (bsc#1179909)
- Rephrase solver problem descriptions (jsc#SLE-8482)
- Adapt to changed gpg2/libgpgme behavior (bsc#1180721)
- Multicurl backend breaks with with unknown filesize (fixes #277)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:985-1
Released:    Tue Mar 30 14:42:46 2021
Summary:     Recommended update for the Azure SDK and CLI
Type:        recommended
Severity:    moderate
References:  1125671,1140565,1154393,1174514,1175289,1176784,1176785,1178168,CVE-2020-14343,CVE-2020-25659

This update for the Azure SDK and CLI adds support for the AHB (Azure Hybrid Benefit).
(bsc#1176784, jsc#ECO=3105)
  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1004-1
Released:    Thu Apr  1 15:07:09 2021
Summary:     Recommended update for libcap
Type:        recommended
Severity:    moderate
References:  1180073
This update for libcap fixes the following issues:

- Added support for the ambient capabilities (jsc#SLE-17092, jsc#ECO-3460)
- Changed the license tag from 'BSD-3-Clause and GPL-2.0' to 'BSD-3-Clause OR GPL-2.0-only' (bsc#1180073)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1007-1
Released:    Thu Apr  1 17:47:20 2021
Summary:     Security update for MozillaFirefox
Type:        security
Severity:    important
References:  1183942,CVE-2021-23981,CVE-2021-23982,CVE-2021-23984,CVE-2021-23987
This update for MozillaFirefox fixes the following issues:

- Firefox was updated to 78.9.0 ESR  (MFSA 2021-11, bsc#1183942)
  * CVE-2021-23981: Texture upload into an unbound backing buffer resulted in an out-of-bound read
  * CVE-2021-23982: Internal network hosts could have been probed by a malicious webpage
  * CVE-2021-23984: Malicious extensions could have spoofed popup information
  * CVE-2021-23987: Memory safety bugs 	  

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1141-1
Released:    Mon Apr 12 13:13:36 2021
Summary:     Recommended update for openldap2
Type:        recommended
Severity:    low
References:  1182791
This update for openldap2 fixes the following issues:

- Improved the proxy connection timeout options to prune connections properly (bsc#1182791)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1169-1
Released:    Tue Apr 13 15:01:42 2021
Summary:     Recommended update for procps
Type:        recommended
Severity:    low
References:  1181976
This update for procps fixes the following issues:

- Corrected a statement in the man page about processor pinning via taskset (bsc#1181976)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1275-1
Released:    Tue Apr 20 14:31:26 2021
Summary:     Security update for sudo
Type:        security
Severity:    important
References:  1183936,CVE-2021-3156
This update for sudo fixes the following issues:

- L3: Tenable Scan reports sudo is vulnerable to CVE-2021-3156 (bsc#1183936)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1295-1
Released:    Wed Apr 21 14:08:19 2021
Summary:     Recommended update for systemd-presets-common-SUSE
Type:        recommended
Severity:    moderate
References:  1184136
This update for systemd-presets-common-SUSE fixes the following issues:

- Enabled hcn-init.service for HNV on POWER (bsc#1184136)

-----------------------------------------------------------------
Advisory ID: SUSE-OU-2021:1296-1
Released:    Wed Apr 21 14:09:28 2021
Summary:     Optional update for e2fsprogs
Type:        optional
Severity:    low
References:  1183791
This update for e2fsprogs fixes the following issues:

- Fixed an issue when building e2fsprogs (bsc#1183791)

This patch does not fix any user visible issues and is therefore optional to install.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1297-1
Released:    Wed Apr 21 14:10:10 2021
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1178219
This update for systemd fixes the following issues:

- Improved the logs emitted by systemd-shutdown during the shutdown process, when applications cannot
  be stopped properly and would leave mount points mounted.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1407-1
Released:    Wed Apr 28 15:49:02 2021
Summary:     Recommended update for libcap
Type:        recommended
Severity:    important
References:  1184690
This update for libcap fixes the following issues:

- Add explicit dependency on 'libcap2' with version to 'libcap-progs' and 'pam_cap'. (bsc#1184690)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1412-1
Released:    Wed Apr 28 17:09:28 2021
Summary:     Security update for libnettle
Type:        security
Severity:    important
References:  1184401,CVE-2021-20305
This update for libnettle fixes the following issues:

- CVE-2021-20305: Fixed the multiply function which was being called with out-of-range scalars (bsc#1184401).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1449-1
Released:    Fri Apr 30 08:08:25 2021
Summary:     Recommended update for systemd-presets-branding-SLE
Type:        recommended
Severity:    moderate
References:  1165780
This update for systemd-presets-branding-SLE fixes the following issues:

- Don't enable 'btrfsmaintenance-refresh.service', 'btrfsmaintenance' is managed by systemd-presets-common-SUSE instead. (bsc#1165780)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1472-1
Released:    Tue May  4 08:56:37 2021
Summary:     Security update for ceph, deepsea
Type:        security
Severity:    important
References:  1145463,1174466,1177200,1178016,1178216,1178235,1178657,1178837,1178860,1178905,1179997,1180118,1180594,1181183,1181378,1181665,1183074,1183487,1183600,CVE-2020-25678,CVE-2020-27839,CVE-2021-20288
This update for ceph, deepsea fixes the following issues:

- ceph was updated to 14.2.20-402-g6aa76c6815:
    * CVE-2021-20288: Fixed unauthorized global_id reuse (bsc#1183074).
    * CVE-2020-25678: Do not add sensitive information in Ceph log files (bsc#1178905).
    * CVE-2020-27839: Use secure cookies to store JWT Token (bsc#1179997). 
    * mgr/dashboard: prometheus alerting: add some leeway for package drops and errors (bsc#1145463) 
    * mon: have 'mon stat' output json as well (bsc#1174466) 
    * rpm: ceph-mgr-dashboard recommends python3-saml on SUSE (bsc#1177200) 
    * mgr/dashboard: Display a warning message in Dashboard when debug mode is enabled (bsc#1178235) 
    * rgw: cls/user: set from_index for reset stats calls (bsc#1178837) 
    * mgr/dashboard: Disable TLS 1.0 and 1.1 (bsc#1178860)
    * bluestore: provide a different name for fallback allocator (bsc#1180118) 
    * test/run-cli-tests: use cram from github (bsc#1181378) 
    * mgr/dashboard: fix 'Python2 Cookie module import fails on Python3' (bsc#1183487) 
    * common: make ms_bind_msgr2 default to 'false' (bsc#1180594) 

- deapsea was updated to 0.9.35
    * osd: add method to zap simple osds (bsc#1178657, bsc#1178216)
    * upgrade to cephadm: fix Drive Group generation (bsc#1181665)
    * Rework config change detection to handle global.conf correctly (bsc#1181183)
    * Use -i to pass credentials to `ceph dashboard` commands (bsc#1183600)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1523-1
Released:    Wed May  5 18:24:20 2021
Summary:     Security update for libxml2
Type:        security
Severity:    moderate
References:  1185408,1185409,1185410,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518
This update for libxml2 fixes the following issues:

- CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408).
- CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410).
- CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1527-1
Released:    Thu May  6 08:58:53 2021
Summary:     Recommended update for bash
Type:        recommended
Severity:    important
References:  1183064
This update for bash fixes the following issues:

- Fixed a segmentation fault that used to occur when bash read a history file
  that was malformed in a very specific way. (bsc#1183064)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1543-1
Released:    Fri May  7 15:16:32 2021
Summary:     Recommended update for patterns-microos
Type:        recommended
Severity:    moderate
References:  1184435
This update for patterns-microos provides the following fix:

- Require the libvirt-daemon-qemu package and include the needed dependencies in the
  product. (bsc#1184435)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1549-1
Released:    Mon May 10 13:48:00 2021
Summary:     Recommended update for procps
Type:        recommended
Severity:    moderate
References:  1185417
This update for procps fixes the following issues:

- Support up to 2048 CPU as well. (bsc#1185417)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1557-1
Released:    Tue May 11 09:50:00 2021
Summary:     Security update for python3
Type:        security
Severity:    moderate
References:  1183374,CVE-2021-3426
This update for python3 fixes the following issues:

- CVE-2021-3426: Fixed an information disclosure via pydoc (bsc#1183374)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1565-1
Released:    Tue May 11 14:20:04 2021
Summary:     Recommended update for krb5
Type:        recommended
Severity:    moderate
References:  1185163
This update for krb5 fixes the following issues:

- Use '/run' instead of '/var/run' for daemon PID files. (bsc#1185163);

-----------------------------------------------------------------
Advisory ID: SUSE-OU-2021:1592-1
Released:    Wed May 12 13:47:41 2021
Summary:     Optional update for sed
Type:        optional
Severity:    low
References:  1183797
This update for sed fixes the following issues:

- Fixed a building issue with glibc-2.31 (bsc#1183797).

This patch is optional to install.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1602-1
Released:    Thu May 13 16:35:19 2021
Summary:     Recommended update for libsolv, libzypp
Type:        recommended
Severity:    moderate
References:  1180851,1181874,1182936,1183628,1184997,1185239
This update for libsolv and libzypp fixes the following issues:

libsolv:

Upgrade from version 0.7.17 to version 0.7.19

- Fix rare segfault in `resolve_jobrules()` that could happen if new rules are learned.
- Fix memory leaks in error cases
- Fix error handling in `solv_xfopen_fd()`
- Fix regex code on win32
- fixed memory leak in choice rule generation
- `repo_add_conda`: add a flag to skip version 2 packages.

libzypp:

Upgrade from version 17.25.8 to version 17.25.10

- Properly handle permission denied when providing optional files. (bsc#1185239)
- Fix service detection with `cgroupv2`. (bsc#1184997)
- Add missing includes for GCC 11. (bsc#1181874)
- Fix unsafe usage of static in media verifier.
- `Solver`: Avoid segfault if no system is loaded. (bsc#1183628)
- `MediaVerifier`: Relax media set verification in case of a single not-volatile medium. (bsc#1180851)
- Do no cleanup in custom cache dirs. (bsc#1182936)
- `ZConfig`: let `pubkeyCachePath` follow `repoCachePath`.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1612-1
Released:    Fri May 14 17:09:39 2021
Summary:     Recommended update for openldap2
Type:        recommended
Severity:    moderate
References:  1184614
This update for openldap2 fixes the following issue:

- Provide `openldap2-contrib` to the modules SUSE Linux Enterprise Legacy 15-SP2 and 15-SP3. (bsc#1184614)
  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1643-1
Released:    Wed May 19 13:51:48 2021
Summary:     Recommended update for pam
Type:        recommended
Severity:    important
References:  1181443,1184358,1185562
This update for pam fixes the following issues:

- Fixed a bug, where the 'unlimited'/'-1' value was not interpreted correctly (bsc#1181443)
- Fixed a bug, where pam_access interpreted the keyword 'LOCAL' incorrectly, leading to
  an attempt to resolve it as a hostname (bsc#1184358)
- In the 32-bit compatibility package for 64-bit architectures, require 'systemd-32bit' to be also installed as it contains pam_systemd.so for 32 bit applications. (bsc#1185562)


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1647-1
Released:    Wed May 19 13:59:12 2021
Summary:     Security update for lz4
Type:        security
Severity:    important
References:  1185438,CVE-2021-3520
This update for lz4 fixes the following issues:

- CVE-2021-3520: Fixed memory corruption due to an integer overflow bug caused by memmove argument (bsc#1185438).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1654-1
Released:    Wed May 19 16:43:36 2021
Summary:     Security update for libxml2
Type:        security
Severity:    important
References:  1185408,1185409,1185410,1185698,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518,CVE-2021-3537
This update for libxml2 fixes the following issues:

- CVE-2021-3537: NULL pointer dereference in valid.c:xmlValidBuildAContentModel (bsc#1185698)
- CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408).
- CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410).
- CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1669-1
Released:    Thu May 20 11:10:44 2021
Summary:     Recommended update for nfs-utils
Type:        recommended
Severity:    moderate
References:  1181540,1181651,1183194,1185170
This update for nfs-utils fixes the following issues:

- The '/var/run' is long deprecated - switch all relevant paths to '/run'. (bsc#1185170)
- Improve logging of authentication (bsc#1181540)
- Add man page of the 'nconnect mount'. (bsc#1181651)
- Fixed an issue when HANA crashed due to inaccessible/hanging NFS mount. (bsc#1183194)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1675-1
Released:    Thu May 20 15:00:23 2021
Summary:     Recommended update for snappy
Type:        recommended
Severity:    moderate
References:  1080040,1184507
This update for snappy fixes the following issues:

Update from version 1.1.3 to 1.1.8

- Small performance improvements.
- Removed `snappy::string` alias for `std::string`.
- Improved `CMake` configuration.
- Improved packages descriptions.
- Fix RPM groups.
- Aarch64 fixes
- PPC speedups
- PIE improvements
- Fix license install. (bsc#1080040)
- Fix a 1% performance regression when snappy is used in PIE executable.
- Improve compression performance by 5%.
- Improve decompression performance by 20%.
- Use better download URL.
- Fix a build issue for tensorflow2. (bsc#1184507)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1769-1
Released:    Wed May 26 14:00:17 2021
Summary:     Security update for ceph
Type:        security
Severity:    important
References:  1185619,1186020,1186021,CVE-2021-3509,CVE-2021-3524,CVE-2021-3531
This update for ceph fixes the following issues:

- Update to 15.2.12-83-g528da226523:
- (CVE-2021-3509) fix cookie injection issue (bsc#1186021)
- (CVE-2021-3531) RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name (bsc#1186020)
- (CVE-2021-3524) sanitize \r in s3 CORSConfiguration’s ExposeHeader (bsc#1185619)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1773-1
Released:    Wed May 26 17:22:21 2021
Summary:     Recommended update for python3
Type:        recommended
Severity:    low
References:  
This update for python3 fixes the following issues:

- Make sure to close the import_failed.map file after the exception
  has been raised in order to avoid ResourceWarnings when the
  failing import is part of a try...except block.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1806-1
Released:    Mon May 31 16:23:04 2021
Summary:     Security update for python-httplib2
Type:        security
Severity:    moderate
References:  1171998,1182053,CVE-2020-11078,CVE-2021-21240
This update for python-httplib2 fixes the following issues:

- Update to version 0.19.0 (bsc#1182053).
- CVE-2021-21240: Fixed regular expression denial of service via malicious header (bsc#1182053).
- CVE-2020-11078: Fixed unescaped part of uri where an attacker could change request headers and body (bsc#1182053).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1809-1
Released:    Mon May 31 16:24:59 2021
Summary:     Security update for curl
Type:        security
Severity:    moderate
References:  1177976,1183933,1186114,CVE-2021-22876,CVE-2021-22898
This update for curl fixes the following issues:

- CVE-2021-22876: Fixed an issue where the automatic referer was leaking credentials (bsc#1183933).
- CVE-2021-22898: Fixed curl TELNET stack contents disclosure (bsc#1186114).
- Fix for SFTP uploads when it results in empty uploaded files (bsc#1177976).
- Allow partial chain verification (jsc#SLE-17956).



More information about the sle-security-updates mailing list